b7e75df19b
Add note as include Add include where renewBefore is mentioned Address patchset 1 review comments Closes-Bug: 2042545 Change-Id: Iad4f58fd2cd4743605089b453ededce1e720c8e9 Signed-off-by: Ron Stone <ronald.stone@windriver.com>
114 lines
3.7 KiB
ReStructuredText
114 lines
3.7 KiB
ReStructuredText
.. _configure-rest-api-applications-and-web-administration-server-certificates-after-installation-6816457ab95f:
|
|
|
|
=========================================================================
|
|
Configure REST API Applications and Web Administration Server certificate
|
|
=========================================================================
|
|
|
|
.. rubric:: |context|
|
|
|
|
|prod| provides support for secure HTTPS external connections used for
|
|
StarlingX REST API application endpoints (Keystone, Barbican and StarlingX) and
|
|
the |prod| web administration server. By default, HTTPS access to StarlingX
|
|
REST and Web Server endpoints is disabled. They are accessible via HTTP only.
|
|
To enable secure HTTPS access, an x509 certificate and key must be configured.
|
|
|
|
You can update the certificate used for HTTPS access at any time.
|
|
|
|
To configure or update the HTTPS certificate for the StarlingX REST API and Web
|
|
Server endpoints, create a certificate named ``system-restapi-gui-certificate``
|
|
in the ``deployment`` namespace. The ``secretName`` attribute of this
|
|
certificate's spec must also be named ``system-restapi-gui-certificate``.
|
|
|
|
See the example procedure below for creating the certificate for the StarlingX
|
|
REST API and Web Server endpoints.
|
|
|
|
Update the following fields:
|
|
|
|
* The ``duration`` and ``renewBefore`` dates for the expiry and renewal times
|
|
you desire. The system will automatically renew and re-install the
|
|
certificate.
|
|
|
|
.. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
|
|
|
|
* The ``subject`` fields to identify your particular system.
|
|
|
|
* The ``ipAddresses`` with the |OAM| Floating IP Address for this system.
|
|
|
|
* The ``dnsNames`` with any |FQDN| names configured for this system in an
|
|
external DNS server.
|
|
|
|
.. note::
|
|
|
|
If you plan to use the container-based remote CLIs, due to a limitation in
|
|
the Python2 SSL certificate validation, the certificate used for the
|
|
``system-restapi-gui-certificate`` certificate must either have:
|
|
|
|
- CN=IPADDRESS and SANs=IPADDRESS
|
|
|
|
or
|
|
|
|
- CN=FQDN and SANs=FQDN
|
|
|
|
where IPADDRESS and FQDN are for the |OAM| Floating IP Address.
|
|
|
|
.. rubric:: |proc|
|
|
|
|
#. Create the REST API certificate yaml configuration file.
|
|
|
|
.. code-block::
|
|
|
|
~(keystone_admin)]$ cat <<EOF > restapi-certificate.yaml
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: system-restapi-gui-certificate
|
|
namespace: deployment
|
|
spec:
|
|
secretName: system-restapi-gui-certificate
|
|
issuerRef:
|
|
name: system-local-ca
|
|
kind: ClusterIssuer
|
|
duration: 2160h # 90 days
|
|
renewBefore: 360h # 15 days
|
|
commonName: < oam floating IP Address or FQDN >
|
|
subject:
|
|
organizations:
|
|
- ABC-Company
|
|
organizationalUnits:
|
|
- StarlingX-system-restapi-gui
|
|
ipAddresses:
|
|
- < oam floating IP address >
|
|
dnsNames:
|
|
- < oam floating FQDN >
|
|
EOF
|
|
|
|
|
|
#. Apply the configuration.
|
|
|
|
.. code-block::
|
|
|
|
~(keystone_admin)]$ kubectl apply -f restapi-certificate.yaml
|
|
|
|
|
|
#. Verify the configuration.
|
|
|
|
.. code-block::
|
|
|
|
~(keystone_admin)]$ kubectl get certificate system-restapi-gui-certificate -n deployment
|
|
|
|
If configuration was successful, the certificate's Ready status will be
|
|
``True``.
|
|
|
|
.. rubric:: |result|
|
|
|
|
The REST and Web Server certificate installation is now complete, and
|
|
Cert-Manager will handle the lifecycle management of the certificate.
|
|
|
|
---------------------------------------------------------------------------
|
|
Limitations for using IPv6 addresses related to management and OAM networks
|
|
---------------------------------------------------------------------------
|
|
|
|
.. include:: /shared/_includes/cert-mgmt-ipv6-address-limitation-1a4504370674.rest
|
|
|